DeFi Platform Poly Network Hacked, Hackers Ready To Return The Funds

The DeFi ecosystem got struck by one of the biggest hacks in the entire crypto sector, as illicit entities managed to steal $611 million worth of Wrapped Bitcoin (WBTC), Wrapped Ethereum (WETH), and other cryptocurrencies from the cross-chain platform Poly Network.

The SlowMist security team first announced the attack, and an official statement from the interoperability platform followed. Poly Networks decided to beg the hackers to return the stolen funds, citing that the amount stolen “is the biggest one in defi history," and that "law enforcement in any country will regard this as a major economic crime and hackers will be pursued."

Meanwhile, Poly Network, alongside SlowMist, identified the root cause of the hack. It turns out that “the hacker exploited a vulnerability between contract calls, exploit was not caused by the single keeper as rumored.”

SlowMist published a breakdown of the attack mechanism, pinpointing the exact place of entry for hackers.

“The core of this attack is that the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute specific cross-chain transactions through the _executeCrossChainTx function.”, SlowMist noted, adding that “after replacing the address of the keeper role, the attacker can construct a transaction at will and withdraw any amount of funds from the contract.”

Data also shows that the $611 million worth of cryptos was transferred to three wallet addresses. Immediately after the attack, the crypto sector responded in support of the DeFi protocol, with Tether freezing 33 million USDT tokens on the attacker addresses, as announced by Tether’s CTO Paolo Ardoino.

Binance’s CEO Changpeng Zhao, or CZ, noted that “while no one controls BSC (or ETH), we are coordinating with all our security partners to proactively help,” joining Ardoino’s efforts.

Source: Twitter

Meanwhile, hackers sent a message with one of their ETH transactions, citing “Ready to return the fund”.

Hackers initially gathered around the idea of creating a decentralized autonomous organization to let the audience decide the fate of the ill-gotten cryptocurrency fortune. However, after putting their “names” among the biggest crypto hackers to date, their most recent moves suggest they are “no longer interested” in creating a DAO for illicitly acquired cryptos.

As of press time, the attackers started returning a portion of the stolen funds. So far, a total of $4.7 million worth of cryptocurrencies are sent back to Poly Network. $1 million was sent back in USDC, while another $1.1 million was sent in a BSC bitcoin-pegged token, dubbed BTCB. Also, the attackers sent a $2 million portion in Shiba Inu (SHIB), and $600,000 worth of FEI.